x-tweet-by-url

Fail

Audited by Gen Agent Trust Hub on Jul 9, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The execution logic in SKILL.md utilizes an unsafe pattern for running local scripts: META=$(python scripts/classify-url.py '{url}'). This instruction is highly susceptible to shell command injection because the {url} variable is directly interpolated into a bash command string without escaping or sanitization. An attacker providing a URL containing shell metacharacters (e.g., ;, `, $(...)) could execute arbitrary commands on the host system with the privileges of the agent.
  • [PROMPT_INJECTION]: The skill processes untrusted data from X, creating an attack surface for indirect prompt injection where malicious instructions embedded in tweets could influence the agent's subsequent actions.
  • Ingestion points: Untrusted content is ingested from X timelines (search results, user profiles, lists, and tweet details) in SKILL.md and processed by scripts/parse-tweets.py.
  • Boundary markers: There are no specific delimiters or instruction-level warnings defined to isolate the scraped tweet text from the agent's operational instructions.
  • Capability inventory: The agent has the capability to execute shell commands via the bash tool and perform browser automation/network monitoring via browser-act.
  • Sanitization: Neither SKILL.md nor the Python scripts perform any sanitization, filtering, or validation of the tweet content to prevent it from being interpreted as instructions by the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jul 9, 2026, 11:21 AM
Security Audit — agent-trust-hub — x-tweet-by-url